Securing inter-autonomous system links

ABSTRACT

In one example, an autonomous system boundary router (ASBR) forms part of a first autonomous system (AS). The ASBR is between a first provider edge (PE) router of the first AS and a second PE router of a second, different AS. The first PE router and the second PE router form a Multiprotocol Label Switching (MPLS) path. The ASBR includes an interface communicatively coupled to a routing device external to the first AS, a memory configured to store a forwarding table associated with the interface, and one or more processing units configured to receive a packet via the interface, determine that the packet is encapsulated by an MPLS label, select a forwarding table based on the interface by which the packet was received, and forward the packet according to forwarding information of the forwarding table when the forwarding table includes the MPLS label.

TECHNICAL FIELD

This disclosure relates to computer networks and, more particularly, totunneling of network-based traffic.

BACKGROUND

A computer network is a collection of interconnected computing devicesthat exchange data and share resources. In a packet-based network, suchas the Internet, the computing devices communicate data by dividing thedata into small blocks called packets. The packets are individuallyrouted across the network from a source device to a destination device.The destination device extracts the data from the packets and assemblesthe data into its original form. Dividing the data into packets enablesthe source device to resend only those individual packets that may belost during transmission.

A private network may include a number of devices, such as computers,owned or administered by a single enterprise. These devices may begrouped into a number of site networks, which in turn may begeographically distributed over a wide area. Each site network mayinclude one or more local area networks (LANs). With the advent ofVirtual Private Network (VPN) technology, enterprises can now securelyshare data between site networks over a public network, such as theInternet. In a typically implementation, one or more “network tunnels”are engineered through the intermediate network to transport data andother network communications between the geographically distributedsites.

One form of a VPN is generally referred to as “MPLS VPN” in whichMulti-Protocol Label Switching (MPLS) tunnels are used as a transportmechanism. MPLS is a mechanism used to engineer traffic patterns withinInternet Protocol (IP) networks. By utilizing MPLS, a source device canrequest a path through a network to a destination device, i.e., a LabelSwitched Path (LSP), to carry MPLS packets from the source device to adestination device. Each router along an LSP allocates a label andpropagates the label to the closest upstream router along the path foruse in forwarding MPLS packets along the path. Routers along the pathcooperatively perform MPLS operations to forward the MPLS packets alongthe established path.

An MPLS VPN combines the tunneling processes of MPLS with virtualrouting and forwarding (VRF) and features of border gateway protocol(BGP) to create a VPN. When a VPN is established within a network,devices for the VPN each include VPN-specific VRF tables. Greaterdetails regarding VPNs, specifically VPNs implemented using BGP and MPLSare discussed in E. Rosen and Y. Rekhter, “BGP/MPLS IP Virtual PrivateNetworks (VPNs),” RFC 4364, February 2006, available athttp://tools.ietf.org/html/rfc4364, and L. Andersson and T. Madsen,“Provider Provisioned Virtual Private Network (VPN) Terminology,” RFC4026, March 2005, available at tools.ietf.org/html/rfc4026, the entirecontents of each of which are incorporated by reference in theirrespective entireties.

Other forms of tunneling may be used instead of or in conjunction withMPLS. For example, another commonly used tunneling protocol is theGeneric Routing Encapsulation (GRE) protocol which is typically used toencapsulate packets within Internet Protocol (IP) tunnels, therebycreating a virtual point-to-point link between devices, such as routers.

RFC 4364 describes various scenarios in which two sites of a VPN areconnected to different Autonomous Systems (ASs). For example, the twosites may be connected to different service providers (SPs). In suchinstances, RFC 4364 recognizes that provider edge (PE) routersassociated with that VPN cannot maintain interior BGP (IBGP) connectionswith each other. Thus, RFC 4364 describes the use of exterior BGP (EBGP)to distribute VPN-IPv4 addresses and labeled VPN-IPv4 routes.

SUMMARY

In general, this disclosure describes techniques for securinginter-autonomous system (AS) links. For example, suppose that provideredge (PE) routers of a Multiprotocol Label Switching (MPLS) path (suchas for a virtual private network (VPN)) are present in different ASs. Inthis case, autonomous system boundary routers (ASBRs) lie along the MPLSpath at the edges of the different ASs. The ASBRs may exchange labeledroutes (e.g., labeled VPN-IPv4 routes) using exterior border gatewayprotocol (EBGP). However, absent the techniques of this disclosure,advertisements of such labeled routes may be spoofed. This disclosuredescribes techniques by which the ASBRs may prevent spoofing of suchlabeled route advertisements. In particular, the ASBRs may instantiateforwarding tables for MPLS paths that store distributed labels. In thismanner, upon receipt of a packet encapsulated by a label (which maycorrespond to a packet to be forwarded by the ASBR or a routeadvertisement), an ASBR may determine whether the label was previouslydistributed by the ASBR (e.g., by checking the forwarding table). Then,the ASBR may install the route (or forward the packet) only when thelabel was previously distributed.

In one example, a method is performed by an autonomous system boundaryrouter (ASBR) device of a first autonomous system (AS). The ASBR deviceis between a first provider edge (PE) router of the first AS and asecond PE router of a second, different AS. The first PE router and thesecond PE router form a Multiprotocol Label Switching (MPLS) path. Themethod includes receiving a packet via an interface of the ASBR devicethat is communicatively coupled to a routing device external to thefirst AS, determining that the packet is encapsulated by an MPLS label,selecting a forwarding table based on the interface by which the packetwas received, and forwarding the packet according to forwardinginformation to which the forwarding table maps the MPLS label.

In another example, an autonomous system boundary router (ASBR) deviceis included in a first autonomous system (AS) and between a firstprovider edge (PE) router of the first AS and a second PE router of asecond, different AS. The first PE router and the second PE router forma Multiprotocol Label Switching (MPLS) path. The ASBR device includes aninterface communicatively coupled to a routing device external to thefirst AS and a memory configured to store a forwarding table associatedwith the interface. The ASBR device also includes one or more processingunits configured to receive a packet via the interface, determine thatthe packet is encapsulated by an MPLS label, select a forwarding tablebased on the interface by which the packet was received, and forward thepacket according to forwarding information to which the forwarding tablemaps the MPLS label.

In another example, a non-transitory computer-readable storage mediumhas stored thereon instructions to be executed by a processor of anautonomous system boundary router (ASBR) device of a first autonomoussystem (AS). The ASBR device is between a first provider edge (PE)router of the first AS and a second PE router of a second, different AS.The first PE router and the second PE router form a Multiprotocol LabelSwitching (MPLS) path. When executed, the instructions cause theprocessor of the ASBR device to receive a packet via an interface of theASBR device that is communicatively coupled to a routing device externalto the first AS, determine that the packet is encapsulated by an MPLSlabel, select a forwarding table based on the interface by which thepacket was received, and forward the packet according to forwardinginformation to which the forwarding table maps the MPLS label.

In another example, a first autonomous system (AS) includes a firstprovider edge (PE) router that forms a Multiprotocol Label Switching(MPLS) path with a second PE routing device of a second, different ASand an autonomous system boundary router (ASBR) device between the firstPE router and the second PE router. The ASBR device of the first ASincludes an interface communicatively coupled to a routing deviceexternal to the first AS, a memory configured to store a forwardingtable associated with the interface, and one or more processing unitsconfigured to receive a packet via the interface, determine that thepacket is encapsulated by an MPLS label, select a forwarding table basedon the interface by which the packet was received, and forward thepacket according to forwarding information to which the forwarding tablemaps the MPLS label.

The details of one or more examples are set forth in the accompanyingdrawings and the description below. Other features, objects, andadvantages will be apparent from the description and drawings, and fromthe claims.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram illustrating an example network including twoautonomous systems (ASs), including respective AS boundary routers(ASBRs).

FIG. 2 is a block diagram illustrating an example arrangement ofcomponents of an ASBR.

FIG. 3 is a flowchart illustrating an example method for determining howto process labeled data received from a device external to an AS.

FIG. 4 is a flowchart illustrating another example method in accordancewith the techniques of this disclosure.

DETAILED DESCRIPTION

FIG. 1 is a block diagram illustrating an example network 100 includingtwo autonomous systems (ASs) 110, 120. AS 110 includes provider edge(PE) router 112, router 114, and autonomous system boundary router(ASBR) 116. AS 120 includes PE router 126, router 124, and ASBR 122. PErouters 112, 126 form a Multiprotocol Label Switching (MPLS) path 140that includes, e.g., ASBRs 116, 122. That is, PE routers 112, 126 act asendpoints (e.g., ingress and egress points, respectively) for MPLS path140.

ASBR 116 and ASBR 122 are communicatively coupled by link 130. Link 130directly couples ASBR 116 and ASBR 122 in this example.

ASs 110, 120 may represent distinct service provider networks. That is,ASs 110, 120 may be operated by distinct entities for providingservices. Services that may be provided by ASs 110, 120 include, forexample, private network (VPN) services, Voice over IP (VoIP), accessfor Asynchronous Transfer Mode (ATM) or frame relay communications,Internet protocol (IP) data services, and multimedia distributionservices, such as video streaming. Because ASs 110, 120 are separate, PErouters 112, 126 will not be able to maintain internal border gatewayprotocol (IBGP) connections with each other. Thus, PE routers 112, 126(along with ASBRs 116, 122) may exchange routing information usingtechniques described in, e.g., RFC 4364, such as advertising labeledroutes according to exterior BGP (EBGP) (described in RFC 4364 Section10 Options B and C).

Because ASs 110, 120 represent distinct service provider networks, aservice provided between ASs 110, 120 may be referred to as aninter-provider service. For example, ASs 110, 120 may provide aninter-provider MPLS path service, represented by MPLS path 140. In someexamples, MPLS path 140 may represent a path for a VPN. Accordingly, ASs110, 120 may provide an inter-provider MPLS VPN service.

One major issue with the inter-provider MPLS VPN service is data planesecurity, mainly label spoofing, when MPLS is enabled for aninter-provider link, such as link 130. One example of thisinter-provider MPLS enabled VPN service model is defined by RFC 4364section 10 options B and C. RFC 4364 section 13 adds requirement fordata plane security to mitigate label spoofing. Behringer, “Analysis ofthe Security of BGP/MPLS IP Virtual Private Networks (VPNs),” NetworkWorking Group, RFC 4381, February 2006, available attools.ietf.org/html/rfc4381, sections 4.2(b) and (c), analyzes the dataplane security problem in detail.

The techniques of this disclosure can prevent data plane label spoofing,offering a solution to the issue discussed in RFC 4364 Section 13 forOption B. Anti-label spoofing is required for MPLS data traffic comingfrom an untrusted ASBR connected through an MPLS interface. For example,let ASBR 116 represent an ASBR device performing the techniques of thisdisclosure, and let ASBR 122 represent an untrusted ASBR connected toASBR 116 via an MPLS interface. ASBR 116 may be directly coupled to ASBR122. It is assumed that devices of autonomous system 110 (e.g., PErouter 112 and router 114) are well protected against label spoofing. Itis further assumed that ASBR 116 and ASBR 122 exchange labels using BGP(e.g., EBGP).

In general, ASBR 116 maintains a context specific label space inmultiple MPLS label forwarding information bases (FIBs), also referredto as forwarding tables. The context may correspond to a networkinterface (e.g., a network interface card) connected to a deviceexternal to AS 110 (such as ASBR 122 or another router of link 130).ASBR 116 may therefore instantiate a new forwarding table (e.g., arouting information base (RIB)) corresponding to the network interfaceby which ASBR 116 is coupled to link 130. Furthermore, ASBR 116 includesdata that associates the network interface to link 130 (aninter-provider link, in this example) with the new forwarding table.

ASBR 116 installs forwarding information in this new forwarding tableaccording to protocols being executed with respect to link 130. ASBR 116may maintain a routing table for inter-AS links, such as link 130.Similarly, ASBR 116 instantiates distinct forwarding tables for eachinter-provider link (although only one such link, link 130, is shown inthe example of FIG. 1). Separately, ASBR 116 maintains a routing tableand a forwarding table for AS 110. With this approach, ASBR 116 installslabels advertised to core facing interfaces (also referred to as trustedinterfaces) in the forwarding table for AS 110, and ASBR 116 installslabels advertised to inter-provider link interfaces in the respectiveforwarding tables.

By maintaining such different forwarding tables for different labeldomains, only inter-provider link advertised labels are installed intheir respective forwarding tables. Thus, ASBR 116 may prevent labelspoofing, because if a device coupled to one interface of ASBR 116 usesa label that was only advertised to a different interface of ASBR 116,ASBR 116 will determine that the label was not installed in the routingtable of the interface by which the label was received. Thus, ASBR 116may, e.g., drop packets encapsulated by labels that were not distributedon corresponding links by which the packets were received. ASBR 116 maythereby prevent label spoofing.

For example, suppose packets of MPLS path 140 are encapsulated by labelL1. Suppose further that ASBR 116 is communicatively coupled to multipledifferent ASBRs including ASBR 122 (other ASBRs not shown in FIG. 1).Furthermore, ASBR 116 may store label L1 in a routing table and aforwarding table associated with link 130. Accordingly, ASBR 116 maydistribute label L1 via an interface coupled to link 130, and ASBR 122may advertise a labeled route using label L1 accordingly. In response,because label L1 was previously stored in the routing table associatedwith link 130, ASBR 116 may install the route in the routing tableassociated with link 130 when the route is labeled with label L1.Similarly, if ASBR 116 receives a packet encapsulated by label L1 viathe interface coupled to link 130, ASBR 116 may determine that label L1is present in the forwarding table associated with link 130, and thus,forward the packet according to the forwarding information of theforwarding table (e.g., to router 114).

However, assume that ASBR 116 receives a packet labeled with L1 via adifferent interface. ASBR 116 may determine whether L1 is present in aforwarding table associated with the different interface. Since L1 isassociated with link 130 (per the discussion above), ASBR 116 maydetermine that L1 is not present in the forwarding table associated withthe different interface. Accordingly, ASBR 116 may drop the packet,thereby preventing label spoofing. This assumes that label L1 was notpreviously and separately distributed via the different interface;labels need not be unique between different label spaces.

In this manner, routing and forwarding information for untrusted peersof ASBR 116 (that is, network devices that are not included in AS 110)may be isolated from routing and forwarding information of trusted peers(that is, other network devices of AS 110, such as PE router 112 androuter 114). Thus, ASBR 116 may maintain separate routing and forwardingtables for MPLS families, populated only with labels exchanged withpeers of a corresponding routing instance. The instance-specific tablesalso provide a separate routing domain, which may provide securitysimilar to a firewall for IP traffic.

FIG. 2 is a block diagram illustrating an example arrangement ofcomponents of ASBR 116 of FIG. 1. ASBR 122 may include similarcomponents. In the example of FIG. 2, ASBR 116 includesinter-provider-link-facing interface cards 174A-174N(inter-provider-link facing IFCs 174) for communicating packets viainbound links 182A-182N (“inbound links 182”) and outbound links180A-180N (“outbound links 180”) and core-facing interface cards172A-172N (“core-facing IFCs 172”) for communicating packets viaoutbound links 178A-178N (“outbound links 178”) and inbound links176A-176N (“inbound links 176”). Core-facing IFCs 172 are coupled tooutbound links 178 and inbound links 176, and inter-provider-link facingIFCs 174 are coupled to inbound links 182 and outbound links 180, via anumber of interface ports (not shown). Each of core-facing IFCs 172 arecoupled to a respective network device of AS 110, while each ofinter-provider-link facing IFCs 174 are coupled to a respective customeredge network device, any or all of which may belong to distinctcustomers, or other network devices external to AS 110. It should beunderstood that the letter “N” is used to represent an arbitrary numberof devices, and moreover, that the number of IFCs 174 is not necessarilyequal to the number of IFCs 172, although the cardinality for both IFCs172 and IFCs 174 is designated using the variable “N.”

ASBR 116 also includes processing unit 150. Processing unit 150 includesforwarding engine 164, forwarding information base (FIB) 162, routingengine 154, and routing information base (RIB) 152. Forwardinginformation base 162 includes AS forwarding table 168 and inter-ASforwarding tables 170, while routing information base 152 includes ASrouting table 158 and inter-AS routing table 160. A default routinginstance corresponds to AS routing table 158 and AS forwarding table168. Inter-AS forwarding tables 170 form forwarding instances forinter-AS links, e.g., corresponding to respective ones of IFCs 174.

Processing unit 150 may be implemented in hardware, software, firmware,or any combination thereof. In one example, instructions for forwardingengine 164 are encoded in a computer-readable storage medium and areexecuted by a processor of processing unit 150. In other examples,forwarding engine 164 corresponds to a discrete hardware unit, such as adigital signal processor (DSPs), application specific integrated circuit(ASICs), field programmable gate array (FPGAs), or any other equivalentintegrated or discrete logic circuitry or combination thereof.Similarly, routing engine 154 comprises any combination of hardware,software, and/or firmware that executes one or more routing protocols todetermine routes through a network. Routing engine 154 stores learnedand calculated routes in RIB 152, where customer routes for thedifferent VPNs provided by ASBR 116 are stored in inter-AS routing table160 for generation of VPN-specific forwarding information within each ofinter-AS forwarding tables 170. AS forwarding table 168 associatestunnels to devices of links to a separate AS, such as link 130, with oneof core-facing IFCs 172. In this way, different routing instances areused to logically isolate the routing and forwarding information fordifferent VPNs.

Processing unit 150 also stores configuration (config) data 156 andmapping data 166. Configuration data 156 is typically provided by anadministrator to define the configuration data for ASBR 116, includingspecifying IFCs 172, 174. In addition, ASBR 116 may generateconfiguration data 156 to define whether AS routing table 158 orinter-AS routing tables 160 corresponds to each of IFCs 172, 174.Similarly, mapping data 166 includes data defining correspondencesbetween AS routing table 158, AS forwarding table 168, inter-AS routingtable 160, inter-AS forwarding tables 170, and core-facing IFCs 172 andinter-provider-link facing IFCs 174.

In general, when ASBR 116 receives a packet via one of IFCs 174, e.g.,IFC 174A, IFC 174A passes the packet to forwarding engine 164.Forwarding engine 164 inspects the packet to determine a destination ofthe packet, e.g., based on header information of the packet thatincludes an Internet protocol (IP) address of the destination or a labelused to encapsulate the packet or a label used to encapsulate thepacket.

In accordance with the techniques of this disclosure, AS routing table158 and AS forwarding table 168 are associated with core-facing IFCs172. That is, processing unit 150 utilizes routing information of ASrouting table 158 and forwarding information of AS forwarding table 168for packets received via each of IFCs 172. In other words, processingunit 150 maintains a single routing table and a single forwarding tablefor core-facing IFCs 172. However, each of inter-provider-link facingIFCs 174 is associated with inter-AS routing table 160 and a respectiveone of inter-AS forwarding tables 170. In this manner, when ASBR 116receives a packet via one of inter-provider-link facing IFCs 174,processing unit 150 uses the one of inter-provider-link facing IFCs 174by which the packet was received as a context for selecting one ofinter-AS forwarding tables 170.

For example, if ASBR 116 receives a labeled route advertisement viainter-provider-link facing IFC 174A (e.g., that specifies ASBR 116 asits destination), routing engine 154 may determine whether a label ofthe labeled route advertisement was previously distributed viainter-provider-link facing IFC 174A. That is, routing engine 154 mayselect inter-AS routing table 160 associated with inter-provider-linkfacing IFC 174A (as indicated by configuration data 156), and determinewhether the label is stored in the selected one of inter-AS forwardingtables 170. If the label is stored in the selected one of inter-ASforwarding tables 170, forwarding engine 164 may forward the packet torouting engine 154, which installs the route from the labeled routeadvertisement into inter-AS routing table 160 and then programsforwarding information of a corresponding one of inter-AS forwardingtables 170 (i.e., the one of inter-AS forwarding tables that isassociated with IFC 174A). However, if the label is not stored in theselected one of inter-AS forwarding tables 170, forwarding engine 164may discard the labeled route advertisement.

Likewise, when ASBR 116 receives a packet via one of inter-provider-linkfacing IFCs 174 that is to be forwarded (e.g., that specifies adestination other than ASBR 116), forwarding engine 164 may determineone of inter-AS forwarding tables 170 to which the one ofinter-provider-link facing IFCs 174 corresponds (e.g., based on mappingdata 166). As with a labeled route advertisement, forwarding engine 164may determine one of inter-provider-link facing IFCs 174 from which alabeled packet is received, and use this as context for selecting one ofinter-AS forwarding tables 170 in which to perform a lookup forforwarding the packet. Furthermore, forwarding engine 164 may determinewhether a label used to encapsulate the packet is present in inter-ASforwarding tables 170. If the label is present, forwarding engine 164forwards the packet via one of IFCs 172 to which forwarding informationof the selected one of inter-AS forwarding tables 170 maps the label (orother information of the packet, e.g., a different label of a labelstack of the packet or a destination IP address specified in headerinformation of the packet). However, if the label is not present in theselected one of inter-AS forwarding tables 170, forwarding engine 164may drop the packet.

In this manner, ASBR 116 represents an example of an ASBR of a first AS(AS 110) between a first PE router (PE router 112) of the first AS and asecond PE router (PE router 126) of a second, different AS (AS 120),where the first PE router and the second PE router form an MPLS path(MPLS path 140). Furthermore, ASBR 116 in this example includes aninterface communicatively coupled to a routing device external to thefirst AS (e.g., inter-provider-link facing IFCs 174), a memoryconfigured to store a forwarding table associated with the interface(e.g., inter-AS forwarding tables 170), and one or more processing units(e.g., processing unit 150) configured to receive a packet via theinterface, determine that the packet is encapsulated by an MPLS label,select a forwarding table based on the interface by which the packet wasreceived, and forward the packet according to forwarding information towhich the forwarding table maps the MPLS label.

FIG. 3 is a flowchart illustrating an example method for determining howto process labeled data received from a device external to an AS. Themethod of FIG. 3 may be performed by, for example, ASBR 116 or ASBR 122.For purposes of explanation, the method of FIG. 3 is explained withrespect to ASBR 116.

Initially, ASBR 116 may determine that an interface (e.g., one of IFCs174) is communicatively coupled to a link to an inter-AS device (200).For example, ASBR 116 may be configured with information by anadministrator that indicates that the interface is communicativelycoupled to a device external to AS 110. The interface may be coupled toa link, such as link 130, that ultimately reaches a separate AS, such asAS 120.

In response to the determination, ASBR 116 may instantiate a forwardingtable for the interface (202). In examples where interfaces are coupledto devices of AS 110 (i.e., the same AS that ASBR 116 is included in),ASBR 116 may use a common forwarding table for storing forwardinginformation of the interfaces. However, in the example of FIG. 3,because the interface is communicatively coupled to a device external toAS 110, ASBR 116 instantiates a separate forwarding table, e.g., one ofinter-AS forwarding tables 170.

ASBR 116 also distributes a label via the interface (204). ASBR 116 alsostores the label in the forwarding table (206), i.e., the forwardingtable that was instantiated for the interface by which the label wasdistributed. Moreover, ASBR 116 may distribute multiple labels via theinterface, and store each of the labels in the forwarding table (and mayalso store the labels in the routing table for the interface).

Subsequently, ASBR 116 may receive labeled data via the interface (208).That is, the data may be encapsulated by a label or otherwise includethe label. The label need not necessarily be the same as the labeldistributed at step 204. Accordingly, ASBR 116 may process the databased on whether the label included with the data is included in theforwarding table (210). In particular, if the label included with thedata is also included in the forwarding table, ASBR 116 may use thereceived data, whereas if the label is not included in the forwardingtable, ASBR 116 may discard the data.

For example, if the received data is a labeled route advertisement, andthe label is included in the forwarding table for the interface, ASBR116 may install the route in the routing table instantiated for theinterface. Alternatively, if the received data is a labeled packet (thatis, a packet encapsulated by an MPLS label stack including the label),is destined for a separate device, and the label is included in theforwarding table for the interface, ASBR 116 may forward the packetaccording to forwarding information of the forwarding table instantiatedfor the interface by which the packet was received.

FIG. 4 is a flowchart illustrating another example method in accordancewith the techniques of this disclosure. Again, for purposes of example,the method of FIG. 4 is explained with respect to ASBR 116, althoughASBR 122 may perform a similar method.

In this example, ASBR 116 receives a packet via an inter-AS interface(220), such as one of inter-provider-link facing IFCs 174. The interfaceprovides the packet to forwarding engine 164. Forwarding engine 164determines that the packet is encapsulated by a label (222), such as anMPLS label stack including the label. For example, forwarding engine 164may process a header of the packet and determine that there is an MPLSheader between an Ethernet header and an IP header of the packet. Thatis, data of the Ethernet header may specify an Ethertype value thatindicates that the packet includes an MPLS header.

Forwarding engine 164 selects a forwarding table based on the interfaceby which the packet was received (224). That is, forwarding engine 164selects the forwarding table (one of inter-AS forwarding tables 170)that is associated with the interface. Accordingly, forwarding engine164 determines whether the label used to encapsulate the packet isincluded in the forwarding table (226). If the label is included in theforwarding table (“YES” branch of 226), forwarding engine 164 forwardsthe packet using data of the forwarding table (228). For example, theforwarding table may map a destination of the packet (which may bespecified by the label, another label of the MPLS label stack, an IPheader of the packet, or other information) to one of core-facing IFCs172. However, if the label is not included in the forwarding table (“NO”branch of 226), forwarding engine 164 may discard the packet (230).

In this manner, the method of FIG. 4 may be performed by an ASBR device(e.g., ASBR 116) of a first AS (e.g., AS 110), where the ASBR device isbetween a first PE router (e.g., PE router 112) of the first AS and asecond PE router (e.g., PE router 126) of a second, different AS (e.g.,AS 120), and where the first PE router and the second PE router form anMPLS path (e.g., MPLS path 140). The method of FIG. 4 also represents anexample of a method including receiving a packet via an interface of theASBR device that is communicatively coupled to a routing device externalto the first AS, determining that the packet is encapsulated by an MPLSlabel, selecting a forwarding table based on the interface by which thepacket was received, and forwarding the packet according to forwardinginformation of the forwarding table when the forwarding table includesthe MPLS label.

Although the method of FIG. 4 represents an example of a packet to beforwarded by ASBR 116, in other examples, a packet may be destined forASBR 116 itself. For example, the packet may specify ASBR 116 as itsdestination, and include a labeled route advertisement. In someexamples, ASBR 116 may process such a packet in substantially the sameway, e.g., determining whether the label is included in the forwardingtable. However, rather than forwarding the packet via one of core-facingIFCs 172, forwarding engine 164 may forward the packet to routing engine154 after determining whether a label of the packet was distributed viathe interface from which the packet was received.

The techniques described in this disclosure may be implemented, at leastin part, in hardware, software, firmware or any combination thereof. Forexample, various aspects of the described techniques may be implementedwithin one or more processors, including one or more microprocessors,digital signal processors (DSPs), application specific integratedcircuits (ASICs), field programmable gate arrays (FPGAs), or any otherequivalent integrated or discrete logic circuitry, as well as anycombinations of such components. The term “processor” or “processingcircuitry” may generally refer to any of the foregoing logic circuitry,alone or in combination with other logic circuitry, or any otherequivalent circuitry. A control unit comprising hardware may alsoperform one or more of the techniques of this disclosure.

Such hardware, software, and firmware may be implemented within the samedevice or within separate devices to support the various operations andfunctions described in this disclosure. In addition, any of thedescribed units, modules or components may be implemented together orseparately as discrete but interoperable logic devices. Depiction ofdifferent features as modules or units is intended to highlightdifferent functional aspects and does not necessarily imply that suchmodules or units must be realized by separate hardware or softwarecomponents. Rather, functionality associated with one or more modules orunits may be performed by separate hardware or software components, orintegrated within common or separate hardware or software components.

The techniques described in this disclosure may also be embodied orencoded in a computer-readable medium, such as a computer-readablestorage medium, containing instructions. Instructions embedded orencoded in a computer-readable medium may cause a programmableprocessor, or other processor, to perform the method, e.g., when theinstructions are executed. Computer-readable media may includenon-transitory computer-readable storage media and transientcommunication media. Computer readable storage media, which is tangibleand non-transitory, may include random access memory (RAM), read onlymemory (ROM), programmable read only memory (PROM), erasableprogrammable read only memory (EPROM), electronically erasableprogrammable read only memory (EEPROM), flash memory, a hard disk, aCD-ROM, a floppy disk, a cassette, magnetic media, optical media, orother computer-readable storage media. It should be understood that theterm “computer-readable storage media” refers to physical storage media,and not signals, carrier waves, or other transient media.

Various examples have been described. These and other examples arewithin the scope of the following claims.

What is claimed is:
 1. A method comprising, by an autonomous systemboundary router (ASBR) device of a first autonomous system (AS), whereinthe ASBR device is between a first provider edge (PE) router of thefirst AS and a second PE router of a second, different AS, and whereinthe first PE router and the second PE router form a Multiprotocol LabelSwitching (MPLS) path: receiving a packet via an interface of the ASBRdevice that is communicatively coupled to a routing device external tothe first AS; determining that the packet is encapsulated by an MPLSlabel; selecting a forwarding table based on the interface by which thepacket was received; and forwarding the packet according to forwardinginformation of the forwarding table when the forwarding table includesthe MPLS label.
 2. The method of claim 1, further comprising, prior toreceiving the packet, instantiating the forwarding table and associatingthe forwarding table with the interface.
 3. The method of claim 1,wherein the packet comprises a first packet and the MPLS label comprisesa first MPLS label, the method further comprising: receiving a secondpacket via the interface; determining that the second packet isencapsulated by a second MPLS label; and in response to determining thatthe second MPLS packet is not included in the forwarding table, droppingthe packet.
 4. The method of claim 1, wherein the packet comprises afirst packet, the interface comprises a first interface, and theforwarding table comprises a first forwarding table, the method furthercomprising: receiving a second packet via a second interface of the ASBRdevice that is communicatively coupled to a routing device internal tothe first AS; selecting a second forwarding table associated with thesecond interface; and forwarding the second packet according toforwarding information of the second forwarding table.
 5. The method ofclaim 1, wherein the MPLS path is associated with a virtual privatenetwork (VPN).
 6. The method of claim 1, wherein the interface comprisesa first inter-AS interface of a plurality of inter-AS interfaces,wherein the forwarding table comprises a first forwarding table, andwherein the MPLS path comprises a first MPLS path of a plurality of MPLSpaths, each of the plurality of MPLS paths being associated with acorresponding one of the plurality of inter-AS interfaces, the methodfurther comprising maintaining a plurality of forwarding tables eachassociated with a corresponding one of the plurality of inter-ASinterfaces.
 7. The method of claim 6, further comprising maintaining asingle forwarding table associated with all interfaces of the ASBRdevice that are communicatively coupled to devices within the first AS,wherein the single forwarding table is separate from the plurality offorwarding tables associated with the plurality of inter-AS interfaces.8. An autonomous system boundary router (ASBR) device of a firstautonomous system (AS), wherein the ASBR device is between a firstprovider edge (PE) router of the first AS and a second PE router of asecond, different AS, and wherein the first PE router and the second PErouter form a Multiprotocol Label Switching (MPLS) path, the ASBR devicecomprising: an interface communicatively coupled to a routing deviceexternal to the first AS; a memory configured to store a forwardingtable associated with the interface; and one or more processing unitsconfigured to: receive a packet via the interface; determine that thepacket is encapsulated by an MPLS label; select a forwarding table basedon the interface by which the packet was received; and forward thepacket according to forwarding information of the forwarding table whenthe forwarding table includes the MPLS label.
 9. The ASBR device ofclaim 8, wherein the one or more processing units comprise a forwardingengine.
 10. The ASBR device of claim 8, wherein the one or moreprocessing units are configured to instantiate the forwarding table andassociate the forwarding table with the interface prior to receiving thepacket.
 11. The ASBR device of claim 8, wherein the packet comprises afirst packet and the MPLS label comprises a first MPLS label, andwherein the one or more processing units are further configured to:receive a second packet via the interface; determine that the secondpacket is encapsulated by a second MPLS label; and in response todetermining that the second MPLS packet is not included in theforwarding table, drop the packet.
 12. The ASBR device of claim 8,wherein the packet comprises a first packet, the interface comprises afirst interface, and the forwarding table comprises a first forwardingtable, further comprising: a second interface that is communicativelycoupled to a routing device internal to the first AS, wherein the one ormore processing units are further configured to: receive a second packetvia an interface of the ASBR device that is communicatively coupled to arouting device internal to the first AS; select a second forwardingtable associated with the second interface; and forward the secondpacket according to forwarding information of the second forwardingtable.
 13. The ASBR device of claim 8, wherein the MPLS path isassociated with a virtual private network (VPN).
 14. The ASBR device ofclaim 8, wherein the interface comprises a first inter-AS interface of aplurality of inter-AS interfaces, wherein the forwarding table comprisesa first forwarding table, wherein the MPLS path comprises a first MPLSpath of a plurality of MPLS paths, each of the plurality of MPLS pathsbeing associated with a corresponding one of the plurality of inter-ASinterfaces, wherein the memory is further configured to store aplurality of forwarding tables, including the first forwarding table,and wherein each of the plurality of forwarding tables is associatedwith a corresponding one of the plurality of inter-AS interfaces. 15.The ASBR device of claim 14, wherein the memory is further configured tostore a single forwarding table associated with all interfaces of theASBR device that are communicatively coupled to devices within the firstAS, wherein the single forwarding table is separate from the pluralityof forwarding tables associated with the plurality of inter-ASinterfaces.
 16. A non-transitory computer-readable storage mediumcomprising instructions that, when executed, cause a processor of anautonomous system boundary router (ASBR) device of a first autonomoussystem (AS), wherein the ASBR device is between a first provider edge(PE) router of the first AS and a second PE router of a second,different AS, and wherein the first PE router and the second PE routerform a Multiprotocol Label Switching (MPLS) path, to: receive a packetvia an interface of the ASBR device that is communicatively coupled to arouting device external to the first AS; determine that the packet isencapsulated by an MPLS label; select a forwarding table based on theinterface by which the packet was received; and forward the packetaccording to forwarding information of the forwarding table when theforwarding table includes the MPLS label.
 17. The non-transitorycomputer-readable storage medium of claim 16, further comprisinginstructions that cause the processor to, prior to receiving the packet,instantiate the forwarding table and associating the forwarding tablewith the interface.
 18. The non-transitory computer-readable storagemedium of claim 16, wherein the packet comprises a first packet and theMPLS label comprises a first MPLS label, further comprising instructionsthat cause the processor to: receive a second packet via the interface;determine that the second packet is encapsulated by a second MPLS label;and in response to determining that the second MPLS packet is notincluded in the forwarding table, drop the packet.
 19. Thenon-transitory computer-readable storage medium of claim 16, wherein thepacket comprises a first packet, the interface comprises a firstinterface, and the forwarding table comprises a first forwarding table,further comprising instructions that cause the processor to: receive asecond packet via a second interface of the ASBR device that iscommunicatively coupled to a routing device internal to the first AS;select a second forwarding table associated with the second interface;and forward the second packet according to forwarding information of thesecond forwarding table.
 20. The non-transitory computer-readablestorage medium of claim 16, wherein the MPLS path is associated with avirtual private network (VPN).
 21. The non-transitory computer-readablestorage medium of claim 16, wherein the interface comprises a firstinter-AS interface of a plurality of inter-AS interfaces, wherein theforwarding table comprises a first forwarding table, and wherein theMPLS path comprises a first MPLS path of a plurality of MPLS paths, eachof the plurality of MPLS paths being associated with a corresponding oneof the plurality of inter-AS interfaces, further comprising instructionsthat cause the processor to maintain a plurality of forwarding tableseach associated with a corresponding one of the plurality of inter-ASinterfaces.
 22. The non-transitory computer-readable storage medium ofclaim 21, further comprising instructions that cause the processor tomaintain a single forwarding table associated with all interfaces of theASBR device that are communicatively coupled to devices within the firstAS, wherein the single forwarding table is separate from the pluralityof forwarding tables associated with the plurality of inter-ASinterfaces.
 23. A first autonomous system (AS) comprising: a firstprovider edge (PE) router that forms a Multiprotocol Label Switching(MPLS) path with a second PE routing device of a second, different AS;and an autonomous system boundary router (ASBR) device between the firstPE router and the second PE router, the ASBR device comprising: aninterface communicatively coupled to a routing device external to thefirst AS; a memory configured to store a forwarding table associatedwith the interface; and one or more processing units configured to:receive a packet via the interface; determine that the packet isencapsulated by an MPLS label; select a forwarding table based on theinterface by which the packet was received; and forward the packetaccording to forwarding information of the forwarding table when theforwarding table includes the MPLS label.
 24. The first autonomoussystem of claim 23, wherein the one or more processing units of the ASBRdevice comprise a forwarding engine.
 25. The first autonomous system ofclaim 23, wherein the one or more processing units of the ASBR deviceare configured to instantiate the forwarding table and associate theforwarding table with the interface prior to receiving the packet. 26.The first autonomous system of claim 23, wherein the packet comprises afirst packet and the MPLS label comprises a first MPLS label, andwherein the one or more processing units of the ASBR device are furtherconfigured to: receive a second packet via the interface; determine thatthe second packet is encapsulated by a second MPLS label; and inresponse to determining that the second MPLS packet is not included inthe forwarding table, drop the packet.
 27. The first autonomous systemof claim 23, wherein the packet comprises a first packet, the interfacecomprises a first interface, and the forwarding table comprises a firstforwarding table, the first autonomous system further comprising: arouting device separate from the ASBR device and the first PE router,wherein the ASBR device further comprises a second interface that iscommunicatively coupled to the routing device, and wherein one or moreprocessing units of the ASBR device are further configured to: receive asecond packet via the second interface; select a second forwarding tableassociated with the second interface; and forward the second packetaccording to forwarding information of the second forwarding table. 28.The first autonomous system of claim 23, wherein the MPLS path isassociated with a virtual private network (VPN).
 29. The firstautonomous system of claim 23, wherein the interface of the ASBR devicecomprises a first inter-AS interface of a plurality of inter-ASinterfaces of the ASBR device, wherein the forwarding table comprises afirst forwarding table of the ASBR device, wherein the MPLS pathcomprises a first MPLS path of a plurality of MPLS paths, each of theplurality of MPLS paths being associated with a corresponding one of theplurality of inter-AS interfaces of the ASBR device, wherein the memoryof the ASBR device is further configured to store a plurality offorwarding tables, including the first forwarding table, and whereineach of the plurality of forwarding tables is associated with acorresponding one of the plurality of inter-AS interfaces.
 30. The firstautonomous system of claim 29, wherein the memory of the ASBR device isfurther configured to store a single forwarding table associated withall interfaces of the ASBR device that are communicatively coupled todevices within the first AS, wherein the single forwarding table of theASBR device is separate from the plurality of forwarding tables of theASBR device associated with the plurality of inter-AS interfaces.